Since they started the rollups in October, I have had consistent problems with the KBs mapping to the correct update files. For instance, KB4019108 is the DotNet Security only update. However, KB4019108 is not an actual patch. The actual update consists of a different KB broken off by DotNet version. In the case of Win7/DotNet 4.6, the patch is KB4014591.

The problem is the same with all DotNet patches since October but I will just use KB4014985 as an example. KB4014985 is listed in the log as missing. When I go to the catalog to download it manually, I get these files offered:

All of the appropriate patches are present in the WSUSO image, they just don't get picked up by the MS scan. I wrote an AutoIT script to install the rollups and have it kicking off as part of the initialization script. If anyone is interested I'll post the code.

Depends upon how much of the individual kb info is stored somewhere in the catalog and if we are able to reliably retrieve the info from it.If that info is not there or not easily obtained we need to do statics.Then we may need to split the statics into 4.5x, 4.6x and 4.7x as all three are still supported (4.6x max for server 2008)